DSXchange: DataStage and IBM Websphere Data Integration Forum
View next topic
View previous topic
Add To Favorites
This topic has been marked "Resolved."
Author Message
Criaz91
Participant



Joined: 09 Nov 2017
Posts: 8

Points: 111

Post Posted: Thu Nov 09, 2017 7:19 am Reply with quote    Back to top    

DataStage® Release: 11x
Job Type: Parallel
OS: Windows
Additional info: Hierarchical stag doesn't appear to be working with TLSv1.2.
Hi

When I click on "Edit assembly" button in Hierarchical Data stage then I get the following error message on engine tier:

---------------------------------------------------------------------------------------------------------------------------------

Code:
[10/18/17 13:24:29:428 GMT] 0003a4b2 SSLHandshakeE E   SSLC0008E: Unable to initialize SSL connection.  Unauthorized access was denied or security settings have expired.  Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
   at com.ibm.jsse2.ab.y(ab.java:439)
   at com.ibm.jsse2.nc.b(nc.java:227)
   at com.ibm.jsse2.nc.c(nc.java:339)
   at com.ibm.jsse2.nc.wrap(nc.java:256)
   at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:25)
   at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:744)
   at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:565)
   at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:294)
   at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
   at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
   at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
   at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
   at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
   at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
   at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
   at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
   at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
   at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1862)
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
   at com.ibm.jsse2.j.a(j.java:24)
   at com.ibm.jsse2.nc.a(nc.java:132)
   at com.ibm.jsse2.ab.a(ab.java:130)
   at com.ibm.jsse2.ab.a(ab.java:207)
   at com.ibm.jsse2.cb.a(cb.java:657)
   at com.ibm.jsse2.cb.a(cb.java:625)
   at com.ibm.jsse2.ab.r(ab.java:528)
   at com.ibm.jsse2.ab$1.a(ab$1.java:2)
   at com.ibm.jsse2.ab$1.run(ab$1.java:1)
   at java.security.AccessController.doPrivileged(AccessController.java:366)
   at com.ibm.jsse2.ab$c_.run(ab$c_.java:11)
   at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:831)
   ... 12 more

.
---------------------------------------------------------------------------------------------------------------------------------

Protocol TLSv1 is disabled on our engine tier (WAS 8.5.5.1 & Infospehere Information Server 11.3.1.2), only TLSv1.2 is allowed (engine tier is installed on SUSE linux).
I get above mentioned error message on Client tier (IIS 11.3.1.2) in Datastage Designer, what is installed on Windows Server 2012. We're using on both tier java version "1.7.0".

Somebody have any idea how to force DataStage client to use only TLSv1.2? I already tried to add "Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12" in Hierarchical Data stage JVM optional arguments, but it didn't work for me.

Any assistance would be appreciated, thank you in advance.
qt_ky



Group memberships:
Premium Members

Joined: 03 Aug 2011
Posts: 2795
Location: USA
Points: 21121

Post Posted: Thu Nov 09, 2017 7:41 am Reply with quote    Back to top    

Try checking the settings and the APAR mentioned in this tech note:

http://www-01.ibm.com/support/docview.wss?uid=swg21699845

_________________
Choose a job you love, and you will never have to work a day in your life. - Confucius
Rate this response:  
Not yet rated
Criaz91
Participant



Joined: 09 Nov 2017
Posts: 8

Points: 111

Post Posted: Thu Nov 09, 2017 7:57 am Reply with quote    Back to top    

Hi, APAR JR52781 is included in "IBM InfoSphere Information Server, Version 11.3.1.2" what we have currently installed, and I did every steps on that page before I posted my question here and it didn't help.
Rate this response:  
Not yet rated
qt_ky



Group memberships:
Premium Members

Joined: 03 Aug 2011
Posts: 2795
Location: USA
Points: 21121

Post Posted: Thu Nov 09, 2017 10:45 am Reply with quote    Back to top    

Would have been nice to know that... Have you tried working with Support?

_________________
Choose a job you love, and you will never have to work a day in your life. - Confucius
Rate this response:  
Not yet rated
Criaz91
Participant



Joined: 09 Nov 2017
Posts: 8

Points: 111

Post Posted: Tue Nov 14, 2017 7:03 am Reply with quote    Back to top    

yes, today I contacted support regarding this issue.
Rate this response:  
Not yet rated
skathaitrooney
Participant



Joined: 06 Jan 2015
Posts: 97

Points: 882

Post Posted: Thu Nov 16, 2017 4:26 am Reply with quote    Back to top    

Did you manage to resolve it ?
Rate this response:  
Not yet rated
skathaitrooney
Participant



Joined: 06 Jan 2015
Posts: 97

Points: 882

Post Posted: Thu Nov 23, 2017 2:47 am Reply with quote    Back to top    

I performed all the steps mentioned n the IBM tech-note and in the Hierarchial stage passed these Optional Arguments
Code:
-Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12


It works for me.

Did you manage to work it through ?
Rate this response:  
Not yet rated
cdp



Group memberships:
Premium Members

Joined: 15 Dec 2009
Posts: 113
Location: New Zealand
Points: 1632

Post Posted: Wed Jan 17, 2018 2:25 pm Reply with quote    Back to top    

Hi had a similar issue when trying to call the Microsoft Dynamics 365 API on DS 11.3 fp1 recently... Microsoft disabled support for TLS1, which is perfectly understandable!

I did not need to apply a patch, we just upgraded the JDK and added the following line to the Hierarchical Stage properties:

Quote:
-Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12


See here:
http://www-01.ibm.com/support/docview.wss?uid=swg22008850

Wasted days trying to find the issue (Thanks WireShark !) and very tempted to blame it all on Microsoft Rolling Eyes
Seriously IBM... TLS v1 in 2018 ??????! Mad
Rate this response:  
Not yet rated
Criaz91
Participant



Joined: 09 Nov 2017
Posts: 8

Points: 111

Post Posted: Fri Feb 09, 2018 7:12 am Reply with quote    Back to top    

I contacted our support, and they recommended that we should use TLSv1 instead of TLSv1.2, if we would like to use hierarchical stage...fix exist, but not for 11.3.

Here is the url for that fix (11.5 ): https://www-01.ibm.com/support/docview.wss?rs=14&uid=swg1JR57423
Rate this response:  
Not yet rated
Criaz91
Participant



Joined: 09 Nov 2017
Posts: 8

Points: 111

Post Posted: Fri Feb 09, 2018 7:15 am Reply with quote    Back to top    

cdp - Thanks for your response, I will try your suggestion later Smile, we're using again TLSv1 for now.
Rate this response:  
Not yet rated
Display posts from previous:       

Add To Favorites
View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2002 phpBB Group
Theme & Graphics by Daz :: Portal by Smartor
All times are GMT - 6 Hours